We help IT Professionals succeed at work.

Issues with setting scom to monitor DMZ machines

215 Views
Last Modified: 2017-06-07
Hi,
I am having difficulties setting SCOM to monitor DMZ machines. I have set it up fine for non DMZ pcs. However when try to setup for non domain machine is being a headache.
I have followed following articles
https://marckean.com/2012/07/19/installing-scom-2012-agent-on-a-non-domain-workgroup-windows-server-core-computer-using-the-command-line/

However the last part with Momcertimport tool, importing the PFX always throws an error with catastrophic error. Certificate valid but cannot be imported.
Any help is appreciated.
Comment
Watch Question

ChrisSr. Systems Engineer

Commented:
I had this exact same thing when I deployed mine.

First, when you create the cert in scom, just create it with the short name, not an FQDN.

Do the remainder of the steps.

When you get to the last step, run the MOMCertImport.exe from an elevated prompt, with nothing specified. It will pop open a selection box, select the imported certificate.

and it should work.

Author

Commented:
ScreenshptI was able to import it but still unable to build trust relationship between DMZ VM and SCOM server. Here are the logs from DMZ VM:

The OpsMgr Connector cannot create a mutually authenticated connection to SRV-SCOM-MSS.slbntdom.neptunetg.com because it is not in a trusted domain.

and this is the log from SCOM server :

The specified certificate could not be loaded because the Subject name on the certificate does not match the local computer name
 Certificate Subject Name : SCOMTestvm
 Computer Name            : SRV-SCOM-MSS.slbntdom.neptunetg.com

another error log that could be related

A Certificate for use with Mutual Authentication was specified, but that certificate could not be found.  The ability for this Health Service to communicate will likely be impacted.

I attached the screenshot of Certificate console on VM as well


p.s SRV-SCOM-MSS is the scom server and CA
ChrisSr. Systems Engineer

Commented:
Sorry, I did not explain that very well.
Issue a certificate from the CA for the DMZ machine, using just the server host name.. Not a FQDN.

The SCOM server can be fully qualified, just not the DMZ.

Copy that standalone cert to the DMZ machine, import it into certificates, and run that command MOMCertImport.exe from an elevated prompt.

Author

Commented:
Hi Chris,
SO i did do follow all those steps, however i still get trust relationship error in the logs and my SCOM cant connect to dmz machine.
Sr. Systems Engineer
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Question for that guide. It says that i need to manually  add a domain suffix to my DMZ machine. What is that mean? Like literally just rename my DMZ CN to computer name.domain name.com ?
ChrisSr. Systems Engineer

Commented:
Sure, good question.
So it means to go into the NIC Ethernet Properties, select IPv4 properties. Then select Advanced.
ipv4_advanced.PNG
Then select the DNS tab, then fill in a suffix in the lower box.
dns_suffix.PNG
While it does indicate to do this, In my experience, it doesn't really make a difference..
As long as the HOSTNAME of the DMZ machine, matches the "common name" on the certificate, it will work.

Author

Commented:
Thanks Chris. If it is not necessary i will first try without the domain suffix. However,
On the guide it Also says that it is assumed pre requisites are done before starting the guide

Pre-reqs:

It is assumed that you have AD CS installed, an HTTPS binding is being used, and its associated certificate has been installed. Information about creating an HTTPS binding is available in the topic How to Configure an HTTPS Binding for a Windows Server 2008 CA.

Which certificate is being talked about already installed? My CA and SCOM server are same. Does that mean i can assume my Certificate is already installed and that pre requisite is completed.
ChrisSr. Systems Engineer

Commented:
Sure,
ok, so in this context, what it is saying is that you have PKI environment already setup and working. (CA, and/or SubCA if applicable)
That you are connecting to the SCOM server over HTTPS.. Therefore you have issued a web certificate to the SCOM server from the CA/SubCA, and installed that signed web certificate for SCOM into IIS on the SCOM server.

If you have done all that, then yes, you have completed the pre-req.

So in your example, you indicate the servers are the same system. So you still have to generate a web cert for IIS, from the CA (Local Box) - and install that web cert into IIS, to enable the HTTPS binding.

Just an FYI though - it is generally a bad practice to install anything else on your CA. This machine should be entirely standalone, with no other services running on it that aren't directly related to or in support of Certificate Services.

Author

Commented:
Capture.JPG
Chris i see this red mark when i go to my SCOM/CA server page. Is this a problem ? or can this be ignored.
ChrisSr. Systems Engineer

Commented:
it means the server name / FULL URL doesn't match the common name on the certificate.

To elaborate: lets say you want to type https://myca.mydomain.net into your browser.
The certificate needs to be created where the common name is set to : myca.mydomain.net

In you picture, I can see you've entered https://srv-scom-mss
however, in the CA banner, the full server name is : srv-scom-mss.slbntdom.neptunetg...etc...

Author

Commented:
I see, but chris would that cause problems with issuing certificate to other DMZ machines? like i am still able to issue the certificates from that URL. Just dont know if that red popup is critical or not.

Sorry if this is a silly question.
ChrisSr. Systems Engineer

Commented:
no, it wouldn't cause a problem, its not critical. it will still issue certificates fine.
ChrisSr. Systems Engineer

Commented:
Heh Neptune, did you ever get this sorted?

Author

Commented:
No, i was not able to get the SCOM to trust the DMZ machines

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.